This invention relates to the electronic commerce on the Internet using a smart card and, in particular, to methods and systems for accessing and retrieving information from a personal web site stored in a smart Java card with security.
A smart card typically includes a plastic carrier, in which is embedded a specially designed integrated circuit (IC) and either a set of contacts or an aerial for the contactless operation. It contains at least one of three types of memories (ROM, RAM, and EEPROM) and/or a microprocessor. A smart card also needs to conform to the ISO 7810-7813 (bank card size and thickness), ISO 7816, EMV, ETSI standards. The most important aspect of the smart card is the ability to control the access to the card""s memory by the use of password protection and/or other security mechanisms. Other important components of the system incorporating a smart card include the smart card reading devices and computer systems which access the information on the card during operation, and the systems which manufacture, issue, and control the smart card and the various encoding keys contained in the card. A typical implementation of data security in computer systems involves providing a mechanism for proving the identity of the person sending or receiving messages and assuring that the message contents have not been altered. That is, confidentiality, authentication, integrity and nonrepudiation are four modern data communications security requirements. These requirements can all be managed by using a form of cryptology. Cryptology, as well known by the persons skilled in the art, is a science of codes and ciphers. In cryptology, original data or plaintext is encrypted using a key. The encrypted data, or ciphertext, usually appears to be a meaningless series of bits which cannot be understood by anyone reading it. To restore the data into a readable text, the receiving person must decrypt the encrypted data. A typical encryption technique includes two main components: an algorithm, and a key. The same or a different algorithm/key pair may be employed by a decryption technique for decoding the encrypted data back to a readable text. Before the data is encrypted, the data is often scrambled or rearranged for further security. Encryption techniques are also used in digital signatures to authenticate the signing party.
Presently, smart cards are used throughout the industrialized countries to identify, to travel, to gain access to buildings, to obtain cash from the bank, to place telephone calls, and to pay for goods and services. Many governments use smart cards to pay welfare, medical, family and social benefits. The cards which are prevalent in daily applications usually have a memory governed by a type of fixed logic, but typically do not include a microprocessor.
Java is the object-oriented computer language that makes programming and distributing software easier and more secure because programs written in Java language are platform independent and have built-in security. Because the leading smart card manufacturers are developing smart cards with common operating system based on the Java Card API, the smart Java cards will become interoperable in almost any computer system. An application included in the smart Java card can be subsequently modified or updated with ease and convenience by a user. Moreover, the smart Java cards are not limited to having one application. Constrained only by a memory capacity, the smart Java cards can hold more than one application per card.
The widespread availability of World Wide Web (WWW or Web) phones, Personal Data Assistants (PDAs), and Windows-based CE machines with Internet connectivity provides anyone within reach of those devices a world wide access to the Internet. With such a wide access to the Internet, it is highly desirable to have efficient techniques for accessing the Web pages. An Internet user typically employs a browser to access the Web pages. The most popular browsers currently in use are Netscape""s Navigator and Microsoft""s Internet Explorer. Storing personal data in the Web page format in a smart Java card will make the card, hence the data, accessable almost everywhere and anytime with built-in security.
The following are some of the articles describing the current state of Smart cards. An article in the University of Maryland Website, http://des.umd.edu/xcx9cmelody/research/smart13 card.html, entitled xe2x80x9cThe Smart Card: Just How Smart Is It?xe2x80x9d lists a variety of current applications of smart cards, for instance, toll payment, personal identification, health care, retail, and travel. With the advent of the Java language, a smart card can be programmed in Java, and hence, referred sometimes as Java cards. A paper in the IEEE Internet Computing, Vol.1, no.1, pp. 57-59, January-February 1997, xe2x80x9cJava Card: Internet Computing on a Smart Cardxe2x80x9d, describes a scenario of using a smart card as a means to generate and store a private encryption key. As in the Schlumberger press release dated Mar. 13, 1997, xe2x80x9cSmart Cards to Catalyse xe2x80x98Electronic-Commerce Explosionxe2x80x99xe2x80x9d, the company has developed a set of software tools that enables a secure Internet commerce and a smart card equipped with a! Motorola chip that can perform public key encryption and decryption on the card. U.S. Pat. No. 5,590,197, entitled xe2x80x9cElectronic Payment System and Methodxe2x80x9d, describes an electronic payment system in the form of an electronic wallet (smart card is one of the electronic forms) that contains protected account information and a file with a set of public keys stored in for encryption has been described.
It is an object and advantage of this invention to provide improved methods and systems for accessing and retrieving personal information in the smart Java card or executing electronic commerce through the Internet with improved security that overcome the foregoing and other problems.
In the preferred embodiment of the present invention, a user""s identity is first verified by the user""s unique PIN (Personal Identification Number), optionally accompanied with images of the user""s face, hand, and/or eye images. Additional checking of the user""s identity in this first step may be performed using the user""s voice characteristics and/or finger prints, before enabling the user to access to his or her personal Web site stored in the smart Java card.
Second, a secure key or security certificate, downloaded previously from the card issuer or a bank or financial institution, is stored in the smart Java card. The secure key or security certificate is sent to the host computer or bank ATM when the smart Java card is inserted into the reader. The key or certificate is then combined with the user entered PIN. The combined data is sent back to the smart Java card. The encryption engine in the card decodes the combined data to recover the PIN which is then compared with the authentic PIN stored in the card. If the PIN is correct, the secure personal Web page is sent to the host computer. Similarly, a bank or a financial institution may verify the authenticity of the card and the user""s identity whenever the user tries to electronically access the data associated with the financial institution through the Web browsers.
The methods and systems of this invention are particularly useful: for authorized access to personal links, such as bank accounts, because the smart Java card has a capacity to store personal keys. Moreover, the smart Java card includes an encryption engine which manipulates the personal keys with other required user inputs to verify and authenticate the identity of the user. With the secure information and the encryption engine stored in the smart Java card, the present invention provides for security verifications at multiple check points, allowing the user to conduct electronic transactions including electronic commerce with improved security.
Further features and advantages of the present invention as well as the structure and operation of various embodiments of the present invention are described in detail below with reference to the accompanying drawings. In the drawings, like reference numbers indicate identical or functionally similar elements.